<!DOCTYPE html>
<html lang="en">
<head>

    <title>FASTCash for Linux</title>
    <meta charset="utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    <meta name="HandheldFriendly" content="True" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    
    <link rel="preload" as="style" href="https://haxrob.net/assets/built/screen.css?v=9159c4dccf" />
    <link rel="preload" as="script" href="https://haxrob.net/assets/built/casper.js?v=9159c4dccf" />

    <link rel="stylesheet" type="text/css" href="https://haxrob.net/assets/built/screen.css?v=9159c4dccf" />

    <meta name="description" content="Analysis of a newly discovered Linux based variant of the DPRK attributed FASTCash malware along with background information on payment switches used in financial networks.">
    <link rel="icon" href="https://haxrob.net/content/images/size/w256h256/2024/04/logo2.png" type="image/png">
    <link rel="canonical" href="https://haxrob.net/fastcash-for-linux/">
    <meta name="referrer" content="no-referrer-when-downgrade">
    
    <meta property="og:site_name" content="haxrob">
    <meta property="og:type" content="article">
    <meta property="og:title" content="FASTCash for Linux">
    <meta property="og:description" content="Analysis of a newly discovered Linux based variant of the DPRK attributed FASTCash malware along with background information on payment switches used in financial networks.">
    <meta property="og:url" content="https://haxrob.net/fastcash-for-linux/">
    <meta property="og:image" content="https://images.unsplash.com/photo-1551260627-fd1b6daa6224?crop&#x3D;entropy&amp;cs&#x3D;tinysrgb&amp;fit&#x3D;max&amp;fm&#x3D;jpg&amp;ixid&#x3D;M3wxMTc3M3wwfDF8c2VhcmNofDl8fGF0bXxlbnwwfHx8fDE3MzEyMDczMDZ8MA&amp;ixlib&#x3D;rb-4.0.3&amp;q&#x3D;80&amp;w&#x3D;2000">
    <meta property="article:published_time" content="2024-10-13T02:51:35.000Z">
    <meta property="article:modified_time" content="2024-11-10T02:55:55.000Z">
    <meta property="article:tag" content="Linux">
    <meta property="article:tag" content="malware">
    
    <meta name="twitter:card" content="summary_large_image">
    <meta name="twitter:title" content="FASTCash for Linux">
    <meta name="twitter:description" content="Analysis of a newly discovered Linux based variant of the DPRK attributed FASTCash malware along with background information on payment switches used in financial networks.">
    <meta name="twitter:url" content="https://haxrob.net/fastcash-for-linux/">
    <meta name="twitter:image" content="https://images.unsplash.com/photo-1551260627-fd1b6daa6224?crop&#x3D;entropy&amp;cs&#x3D;tinysrgb&amp;fit&#x3D;max&amp;fm&#x3D;jpg&amp;ixid&#x3D;M3wxMTc3M3wwfDF8c2VhcmNofDl8fGF0bXxlbnwwfHx8fDE3MzEyMDczMDZ8MA&amp;ixlib&#x3D;rb-4.0.3&amp;q&#x3D;80&amp;w&#x3D;2000">
    <meta name="twitter:label1" content="Written by">
    <meta name="twitter:data1" content="haxrob">
    <meta name="twitter:label2" content="Filed under">
    <meta name="twitter:data2" content="Linux, malware">
    <meta name="twitter:site" content="@haxrob">
    <meta property="og:image:width" content="1200">
    <meta property="og:image:height" content="803">
    
    <script type="application/ld+json">
{
    "@context": "https://schema.org",
    "@type": "Article",
    "publisher": {
        "@type": "Organization",
        "name": "haxrob",
        "url": "https://haxrob.net/",
        "logo": {
            "@type": "ImageObject",
            "url": "https://haxrob.net/content/images/size/w256h256/2024/04/logo2.png"
        }
    },
    "author": {
        "@type": "Person",
        "name": "haxrob",
        "image": {
            "@type": "ImageObject",
            "url": "https://haxrob.net/content/images/2024/04/TXPejNZ1_400x400.jpg",
            "width": 208,
            "height": 208
        },
        "url": "https://haxrob.net/author/haxrob/",
        "sameAs": []
    },
    "headline": "FASTCash for Linux",
    "url": "https://haxrob.net/fastcash-for-linux/",
    "datePublished": "2024-10-13T02:51:35.000Z",
    "dateModified": "2024-11-10T02:55:55.000Z",
    "image": {
        "@type": "ImageObject",
        "url": "https://images.unsplash.com/photo-1551260627-fd1b6daa6224?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wxMTc3M3wwfDF8c2VhcmNofDl8fGF0bXxlbnwwfHx8fDE3MzEyMDczMDZ8MA&ixlib=rb-4.0.3&q=80&w=2000",
        "width": 1200,
        "height": 803
    },
    "keywords": "Linux, malware",
    "description": "Analysis of a newly discovered Linux based variant of the DPRK attributed FASTCash malware along with background information on payment switches used in financial networks.",
    "mainEntityOfPage": "https://haxrob.net/fastcash-for-linux/"
}
    </script>

    <meta name="generator" content="Ghost 5.103">
    <link rel="alternate" type="application/rss+xml" title="haxrob" href="https://haxrob.net/rss/">
    <script defer src="https://cdn.jsdelivr.net/ghost/portal@~2.46/umd/portal.min.js" data-i18n="true" data-ghost="https://haxrob.net/" data-key="a952a68b24bb1716a990186c72" data-api="https://haxrob.ghost.io/ghost/api/content/" data-locale="en" crossorigin="anonymous"></script><style id="gh-members-styles">.gh-post-upgrade-cta-content,
.gh-post-upgrade-cta {
    display: flex;
    flex-direction: column;
    align-items: center;
    font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, 'Open Sans', 'Helvetica Neue', sans-serif;
    text-align: center;
    width: 100%;
    color: #ffffff;
    font-size: 16px;
}

.gh-post-upgrade-cta-content {
    border-radius: 8px;
    padding: 40px 4vw;
}

.gh-post-upgrade-cta h2 {
    color: #ffffff;
    font-size: 28px;
    letter-spacing: -0.2px;
    margin: 0;
    padding: 0;
}

.gh-post-upgrade-cta p {
    margin: 20px 0 0;
    padding: 0;
}

.gh-post-upgrade-cta small {
    font-size: 16px;
    letter-spacing: -0.2px;
}

.gh-post-upgrade-cta a {
    color: #ffffff;
    cursor: pointer;
    font-weight: 500;
    box-shadow: none;
    text-decoration: underline;
}

.gh-post-upgrade-cta a:hover {
    color: #ffffff;
    opacity: 0.8;
    box-shadow: none;
    text-decoration: underline;
}

.gh-post-upgrade-cta a.gh-btn {
    display: block;
    background: #ffffff;
    text-decoration: none;
    margin: 28px 0 0;
    padding: 8px 18px;
    border-radius: 4px;
    font-size: 16px;
    font-weight: 600;
}

.gh-post-upgrade-cta a.gh-btn:hover {
    opacity: 0.92;
}</style>
    <script defer src="https://cdn.jsdelivr.net/ghost/sodo-search@~1.5/umd/sodo-search.min.js" data-key="a952a68b24bb1716a990186c72" data-styles="https://cdn.jsdelivr.net/ghost/sodo-search@~1.5/umd/main.css" data-sodo-search="https://haxrob.ghost.io/" data-locale="en" crossorigin="anonymous"></script>
    
    <link href="https://haxrob.net/webmentions/receive/" rel="webmention">
    <script defer src="/public/cards.min.js?v=9159c4dccf"></script>
    <link rel="stylesheet" type="text/css" href="/public/cards.min.css?v=9159c4dccf">
    <script defer src="/public/member-attribution.min.js?v=9159c4dccf"></script><style>:root {--ghost-accent-color: #000000;}</style>
    <script>
  var _paq = window._paq = window._paq || [];
  /* tracker methods like "setCustomDimension" should be called before "trackPageView" */
  _paq.push(['trackPageView']);
  _paq.push(['enableLinkTracking']);
  (function() {
    var u="//svs.doubleagent.net/";
    _paq.push(['setTrackerUrl', u+'matomo.php']);
    _paq.push(['setSiteId', '1']);
    var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
    g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
  })();
</script>


  <style>

.gh-head, .site-header-content { background: #000; }

.site-header-content {
  min-height: 100px !important;
  max-height: 200px;
}
</style>

<script>

window.onload = function () {
    let portal = document.getElementById("ghost-portal-root");
    const interval = setInterval(() => {
        let frame = portal.querySelector('[title="portal-popup"]');
        if (frame !== null) {
            const styleElement = document.createElement("style");
            styleElement.innerHTML = `.gh-portal-powered { display: none; }`;
            frame.contentDocument.head.appendChild(styleElement);
        } else {
            frame = null
        }
    }, 300)
}
</script>


<!-- https://ghostfam.com/en/create-a-table-of-contents-for-ghost/ -->
<script src="https://cdn.jsdelivr.net/npm/tocbot@4.21.0/dist/tocbot.min.js"></script>
<link href="https://cdn.jsdelivr.net/npm/tocbot@4.21.0/dist/tocbot.min.css" rel="stylesheet">
<style>.gh-content{position:relative}.gh-toc>.toc-list{position:relative}.toc-list{overflow:hidden;list-style:none}@media (min-width:1300px){.gh-sidebar{position:absolute;top:0;bottom:0;margin-top:4vmin;grid-column:wide-start / main-start}.gh-toc{position:sticky;top:4vmin}li.toc-list-item{font-size:1.8rem}}.gh-toc .is-active-link::before{background-color:var(--ghost-accent-color)}a.toc-link{display:inline-flex;font-weight:400;height:100%;line-height:1.2em;padding:6px 0;text-decoration:none;transition:.4s ease;font-size:100%!important}li.toc-list-item{color:#738a94!important}a.toc-link:hover{color:#15171a!important}.is-collapsible a.is-active-link,a.is-active-link{color:#15171a!important;font-weight:500}@media (max-width:1400px){.gh-toc{background:#fff;border-radius:1em;box-shadow:0 10px 50px rgba(25,37,52,.14),0 2px 5px rgba(25,37,52,.03);padding:30px;width:100%}}</style>

</head>
<body class="post-template tag-linux tag-malware is-head-left-logo has-sans-body has-cover">
<div class="viewport">

    <header id="gh-head" class="gh-head outer">
        <div class="gh-head-inner inner">
            <div class="gh-head-brand">
                <a class="gh-head-logo no-image" href="https://haxrob.net">
                        haxrob
                </a>
                <button class="gh-search gh-icon-btn" aria-label="Search this site" data-ghost-search><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2" width="20" height="20"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"></path></svg></button>
                <button class="gh-burger" aria-label="Main Menu"></button>
            </div>

            <nav class="gh-head-menu">
                <ul class="nav">
    <li class="nav-home"><a href="https://haxrob.net/">Home</a></li>
    <li class="nav-x-twitter"><a href="https://x.com/haxrob">X / Twitter</a></li>
    <li class="nav-about"><a href="https://haxrob.net/about/">About</a></li>
</ul>

            </nav>

            <div class="gh-head-actions">
                    <button class="gh-search gh-icon-btn" aria-label="Search this site" data-ghost-search><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2" width="20" height="20"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"></path></svg></button>
                    <div class="gh-head-members">
                                <a class="gh-head-link" href="#/portal/signin" data-portal="signin">Sign in</a>
                                <a class="gh-head-button" href="#/portal/signup" data-portal="signup">Subscribe</a>
                    </div>
            </div>
        </div>
    </header>

    <div class="site-content">
        



<main id="site-main" class="site-main">
<article class="article post tag-linux tag-malware featured image-small">

    <header class="article-header gh-canvas">

        <div class="article-tag post-card-tags">
                <span class="post-card-primary-tag">
                    <a href="/tag/linux/">Linux</a>
                </span>
                <span class="post-card-featured"><svg width="16" height="17" viewBox="0 0 16 17" fill="none" xmlns="http://www.w3.org/2000/svg">
    <path d="M4.49365 4.58752C3.53115 6.03752 2.74365 7.70002 2.74365 9.25002C2.74365 10.6424 3.29678 11.9778 4.28134 12.9623C5.26591 13.9469 6.60127 14.5 7.99365 14.5C9.38604 14.5 10.7214 13.9469 11.706 12.9623C12.6905 11.9778 13.2437 10.6424 13.2437 9.25002C13.2437 6.00002 10.9937 3.50002 9.16865 1.68127L6.99365 6.25002L4.49365 4.58752Z" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
</svg> Featured</span>
        </div>

        <h1 class="article-title">FASTCash for Linux</h1>

            <p class="article-excerpt">Analysis of a newly discovered Linux based variant of the DPRK attributed FASTCash malware along with background information on payment switches used in financial networks.</p>

        <div class="article-byline">
        <section class="article-byline-content">

            <ul class="author-list instapaper_ignore">
                <li class="author-list-item">
                    <a href="/author/haxrob/" class="author-avatar" aria-label="Read more of haxrob">
                        <img class="author-profile-image" src="/content/images/size/w100/2024/04/TXPejNZ1_400x400.jpg" alt="haxrob" />
                    </a>
                </li>
            </ul>

            <div class="article-byline-meta">
                <h4 class="author-name"><a href="/author/haxrob/">haxrob</a></h4>
                <div class="byline-meta-content">
                    <time class="byline-meta-date" datetime="2024-10-13">Oct 13, 2024</time>
                        <span class="byline-reading-time"><span class="bull">&bull;</span> 19 min read</span>
                </div>
            </div>

        </section>
        </div>

            <figure class="article-image">
                <img
                    srcset="https://images.unsplash.com/photo-1551260627-fd1b6daa6224?crop&#x3D;entropy&amp;cs&#x3D;tinysrgb&amp;fit&#x3D;max&amp;fm&#x3D;jpg&amp;ixid&#x3D;M3wxMTc3M3wwfDF8c2VhcmNofDl8fGF0bXxlbnwwfHx8fDE3MzEyMDczMDZ8MA&amp;ixlib&#x3D;rb-4.0.3&amp;q&#x3D;80&amp;w&#x3D;300 300w,
                            https://images.unsplash.com/photo-1551260627-fd1b6daa6224?crop&#x3D;entropy&amp;cs&#x3D;tinysrgb&amp;fit&#x3D;max&amp;fm&#x3D;jpg&amp;ixid&#x3D;M3wxMTc3M3wwfDF8c2VhcmNofDl8fGF0bXxlbnwwfHx8fDE3MzEyMDczMDZ8MA&amp;ixlib&#x3D;rb-4.0.3&amp;q&#x3D;80&amp;w&#x3D;600 600w,
                            https://images.unsplash.com/photo-1551260627-fd1b6daa6224?crop&#x3D;entropy&amp;cs&#x3D;tinysrgb&amp;fit&#x3D;max&amp;fm&#x3D;jpg&amp;ixid&#x3D;M3wxMTc3M3wwfDF8c2VhcmNofDl8fGF0bXxlbnwwfHx8fDE3MzEyMDczMDZ8MA&amp;ixlib&#x3D;rb-4.0.3&amp;q&#x3D;80&amp;w&#x3D;1000 1000w,
                            https://images.unsplash.com/photo-1551260627-fd1b6daa6224?crop&#x3D;entropy&amp;cs&#x3D;tinysrgb&amp;fit&#x3D;max&amp;fm&#x3D;jpg&amp;ixid&#x3D;M3wxMTc3M3wwfDF8c2VhcmNofDl8fGF0bXxlbnwwfHx8fDE3MzEyMDczMDZ8MA&amp;ixlib&#x3D;rb-4.0.3&amp;q&#x3D;80&amp;w&#x3D;2000 2000w"
                    sizes="(min-width: 1400px) 1400px, 92vw"
                    src="https://images.unsplash.com/photo-1551260627-fd1b6daa6224?crop&#x3D;entropy&amp;cs&#x3D;tinysrgb&amp;fit&#x3D;max&amp;fm&#x3D;jpg&amp;ixid&#x3D;M3wxMTc3M3wwfDF8c2VhcmNofDl8fGF0bXxlbnwwfHx8fDE3MzEyMDczMDZ8MA&amp;ixlib&#x3D;rb-4.0.3&amp;q&#x3D;80&amp;w&#x3D;2000"
                    alt="FASTCash for Linux"
                />
                    <figcaption><span style="white-space: pre-wrap;">Photo by </span><a href="https://unsplash.com/@pampouks?utm_source=ghost&amp;utm_medium=referral&amp;utm_campaign=api-credit"><span style="white-space: pre-wrap;">Nick Pampoukidis</span></a><span style="white-space: pre-wrap;"> / </span><a href="https://unsplash.com/?utm_source=ghost&amp;utm_medium=referral&amp;utm_campaign=api-credit"><span style="white-space: pre-wrap;">Unsplash</span></a></figcaption>
            </figure>

    </header>

    <section class="gh-content gh-canvas">
        <h2 id="introduction">Introduction</h2><p>This post analyzes a newly identified variant of FASTCash "payment switch" malware which specifically targets the Linux operating system. The term 'FASTCash' is used to refer to the DPRK attributed malware that is installed on payment switches within compromised networks that handle card transactions for the means of facilitating the unauthorized withdrawal of cash from ATMs. </p><figure class="kg-card kg-image-card kg-width-wide kg-card-hascaption"><img src="https://haxrob.net/content/images/2024/10/image-24.png" class="kg-image" alt="" loading="lazy" width="1002" height="380" srcset="https://haxrob.net/content/images/size/w600/2024/10/image-24.png 600w, https://haxrob.net/content/images/size/w1000/2024/10/image-24.png 1000w, https://haxrob.net/content/images/2024/10/image-24.png 1002w"><figcaption><span style="white-space: pre-wrap;">In this </span><i><em class="italic" style="white-space: pre-wrap;">example</em></i><span style="white-space: pre-wrap;">, 'FASTCash for Linux' has intercepted, added funds and and approved a failed card before reaching the acquirer. </span></figcaption></figure><p>Discovery of a Linux variant adds to the list of operating systems that this malware has been compiled for, with prior samples known to target IBM AIX <em>(FASTCash for UNIX) </em>and Microsoft Windows <em>(FASTCash for Windows)</em>. As per an updated amended to CISA's<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-239a?ref=haxrob.net" rel="noreferrer"> 2018 advisory</a> for the <a href="https://www.cisa.gov/news-events/analysis-reports/ar20-239c?ref=haxrob.net" rel="noreferrer">Windows variant</a>:</p><blockquote>Since the publication of the in October 2018, there have been two particularly significant developments in the campaign: (1) the capability to conduct the FASTCash scheme against banks hosting their switch applications on Windows servers, and (2) an expansion of the FASTCash campaign to target interbank payment processors.</blockquote><p>The <a href="https://www.virustotal.com/gui/file/129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0?ref=haxrob.net" rel="noreferrer">first submission</a> of 'FASTCash for Windows' to VT was during September 2019, and first was publicly referenced by CISA in 2020. During the author's discovery of <a href="https://www.virustotal.com/gui/file/f34b532117b3431387f11e3d92dc9ff417ec5dcee38a0175d39e323e5fdb1d2c?ref=haxrob.net" rel="noreferrer">the Linux variant</a>, additional Windows samples have been identified which were submitted to VT within the month of June 2023, overlapping in time with the Linux variant submission. (<em>Notably, the most recent Windows variant with a previously unreported hash was </em><a href="https://www.virustotal.com/gui/file/609a5b9c98ec40f93567fbc298d4c3b2f9114808dfbe42eb4939f0c5d1d63d44/?ref=haxrob.net" rel="noreferrer"><em>submitted </em></a><em> is in the month of September 2024</em>)</p><div class="kg-card kg-callout-card kg-callout-card-grey"><div class="kg-callout-emoji">💡</div><div class="kg-callout-text">Both the identified Linux and Windows variants work in the currency of Turkish Lira as opposed to Indian Rupee in the AIX variant.</div></div><p>Newly unattributed Windows samples have some detections (likely) due to the process injection methods used, although the <a href="https://www.virustotal.com/gui/file/f34b532117b3431387f11e3d92dc9ff417ec5dcee38a0175d39e323e5fdb1d2c?ref=haxrob.net" rel="noreferrer">Linux sample</a> that is the primary focus of this post, has no detections as of writing:</p><figure class="kg-card kg-image-card kg-width-wide"><img src="https://haxrob.net/content/images/2024/10/image-16.png" class="kg-image" alt="" loading="lazy" width="768" height="201" srcset="https://haxrob.net/content/images/size/w600/2024/10/image-16.png 600w, https://haxrob.net/content/images/2024/10/image-16.png 768w"></figure><p><strong>IoCs can be found and the end of this post.</strong></p><p>Based on analysis of CISA's reported Windows sample against the Linux sample, both are are targeting very similar or the same payment infrastructure (bank or interbank network) within the same country - this assertion is made based on the unique properties of the fraudulent transaction responses that both variants share. Further details on this attribution can be found in the technical analysis later in this post.</p><p>The Linux sample that is of primary focus here is has been compiled for Ubuntu Linux 20.04 and developed sometime after April 21 2022  (based on compiler version), most likely developed in a Virtual Machine using the VMware hypervisor. </p><p>The Linux variant has slightly reduced functionality compared to its Windows predecessor, although it still retains key functionality: intercepting declined (magnetic swipe) transactions messages for a predefined list of card holder account numbers and then authorizing the transaction with a random amount of funds in the currency of Turkish Lira. </p><p>The FASTCash for Windows sample (<code>switch.dll</code>) reported in CISA/DHS <a href="https://www.cisa.gov/news-events/analysis-reports/ar20-239c?ref=haxrob.net" rel="noreferrer">MAR-10257062-1.v2</a>, which cites attribution to <a href="https://www.us-cert.gov/hiddencobra?ref=haxrob.net" rel="noreferrer">HIDDEN COBRA</a>.</p><div class="kg-card kg-callout-card kg-callout-card-grey"><div class="kg-callout-emoji">💡</div><div class="kg-callout-text">Other overlapping (financially motivated) intrusion set names within the "Lazarus group" umbrella may include <a href="https://cloud.google.com/blog/topics/threat-intelligence/apt38-details-on-new-north-korean-regime-backed-threat-group?ref=haxrob.net" rel="noreferrer">APT38 </a>(Mandiant), <a href="https://www.crowdstrike.com/adversaries/stardust-chollima/?ref=haxrob.net" rel="noreferrer">Stardust Chollima</a> (CrowdStrike), <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-239a?ref=haxrob.net" rel="noreferrer">BeagleBoyz</a> (CISA/DHS), <a href="https://securelist.com/lazarus-under-the-hood/77908/?ref=haxrob.net">BlueNoroff</a> (Kaspersky Lab) and <a href="https://www.microsoft.com/en-us/security/security-insider/diamond-sleet?ref=haxrob.net" rel="noreferrer">Diamond Sleet</a> (Microsoft) and more.</div></div><p>Analysis done between the AIX and the original Windows variant by <a href="https://x.com/kevinperlow?ref=haxrob.net" rel="noreferrer">Kevin Perlow</a> presented in his <a href="https://www.youtube.com/watch?v=zGvQPtejX9w&ref=haxrob.net" rel="noreferrer">Blackhat 2021 talk</a> and related <a href="https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf?ref=haxrob.net" rel="noreferrer">related paper</a>. As such, this post will specifically focus the newly identified Linux variant and its relation to the original Windows variant.</p><p>The next section of this post will attempt to explore in detail the terminology and technology related to card transactions processing systems. The intention of this section is to help facilitate the understanding of concepts  fundamental to card transaction platforms. </p><p><em>Skip to <strong>Part 2</strong> around midway in this post if you would rather head straight into the analysis of the Linux variant.</em></p><h2 id="part-1terminology-and-technology">Part 1 - Terminology and Technology</h2><h3 id="parties-involved">Parties involved</h3><p>First we start with terms used to refer to parties which may participate in a (credit or debit) card transaction:</p><ul><li>The <em>acquirer</em> (or <em>merchant acquirer</em>, or <em>acquiring bank</em>) enables a <em>merchant</em> to accept payment to a <em>cardholder. </em>For example, this is the bank a retail shop uses to enable their customers to make payments. The acquiring bank owns the ATM/PoS terminals and associated switch software and interchange connectivity. </li><li><em>Issuer</em> - The bank or financial institution that provides the credit or debit card to a customer. Within the context of the switch system, the issuer is the one that responds to acquirers with an approval or rejection message for a transaction. An issuer can be the acquiring bank. </li><li><em>Card Scheme</em> / <em>Card Network</em> such as Visa, Mastercard etc. In these examples, the card scheme is an intermediate party between the acquirer and issuer. There are exceptions, for example AMEX could also be the issuer. The issuing bank is a member of the card scheme.</li></ul><p>To illustrate better, the following diagram assumes the card holder makes a purchase on a credit card. The shop terminal reads the card data and sends it to the shop merchant's acquiring bank. Since the card holder belongs to a different bank, the request is sent to the card network (Visa, Mastercard etc.). The card issuing bank (the bank of the shopper) then does balance checks and so forth. </p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://haxrob.net/content/images/2024/10/image-32-1-1.png" class="kg-image" alt="" loading="lazy" width="1274" height="556" srcset="https://haxrob.net/content/images/size/w600/2024/10/image-32-1-1.png 600w, https://haxrob.net/content/images/size/w1000/2024/10/image-32-1-1.png 1000w, https://haxrob.net/content/images/2024/10/image-32-1-1.png 1274w" sizes="(min-width: 720px) 720px"><figcaption><span style="white-space: pre-wrap;">Example flow of an authorization request for a purchase with a credit card</span></figcaption></figure><h3 id="payment-switch">Payment switch</h3><p>A "Switch" is an intermediary routing system for the card transaction messages. They may connect multiple endpoints (ATM/POS terminals) to bank Hosts or provide a transit between parties such as <em>interbank networks</em> to perform duties such as routing of transactions, protocol conversion, and reporting/logging. Here "Host" may refer to a financial institution's core banking systems that perform the actual financial transaction against the card holder's account.</p><p>FASTCash malware which tampers with transaction messages could happen within a userspace process on a compromised switch where the message digest code either missing or not validated. The following diagram helps illustrate the role and placement of payment switches or ATM controllers. </p><figure class="kg-card kg-image-card kg-width-wide"><img src="https://haxrob.net/content/images/2024/10/image-26.png" class="kg-image" alt="" loading="lazy" width="1069" height="614" srcset="https://haxrob.net/content/images/size/w600/2024/10/image-26.png 600w, https://haxrob.net/content/images/size/w1000/2024/10/image-26.png 1000w, https://haxrob.net/content/images/2024/10/image-26.png 1069w"></figure><p>In the above diagram we have an assortment of ATMs and PoS terminals speaking a mixture of protocols. The switches are also speaking different dialects of <code>ISO8583</code> for interoperability between payment networks. The core banking systems (Centralized Online Real-time Environment) handles the actual transaction processing for the card holder (for example, depositing or withdrawal of funds from their account. The cardholders PIN used to authorize the transactions will be encrypted in a HSM)</p><h3 id="protocols-and-interfaces">Protocols and Interfaces</h3><p>Central to all of this is the <code>ISO8583</code> message format. The standard, known as "<em>Financial Transaction Card-Originated Messages — Interchange Message Specifications",</em> details the format and standard for debit and credit card transactions: actions such as checking a balance, withdrawing cash from an ATM or making a purchase from a Point of Sale terminal at a retail store. The fields are called "<em>data elements</em>" and are referenced by an integer number. Proprietary platforms or payment networks that process these messages will detail the meaning and format of data elements specific to their implementation. These specifications can get quite lengthy, often spanning many hundreds of pages in length.</p><div class="kg-card kg-callout-card kg-callout-card-grey"><div class="kg-callout-emoji">💡</div><div class="kg-callout-text">The first version of ISO8583 was released in the 80's - <a href="https://cdn.standards.iteh.ai/samples/15871/7c9171cccda84bd981fadb7a450e716b/ISO-8583-1993.pdf?ref=haxrob.net" rel="noreferrer"><code spellcheck="false" style="white-space: pre-wrap;">ISO8583:1987</code></a>, established upon an older standard by ANSI, <a href="https://x9.org/history-of-x9/?ref=haxrob.net" rel="noreferrer"><code spellcheck="false" style="white-space: pre-wrap;">X.92</code></a>. Before the ANSI standard gained adoption starting within the early 1980s, financial institutions used their own developed protocols and message structures. A newer (and generic standard, not just limited to card transactions) is <code spellcheck="false" style="white-space: pre-wrap;">ISO20022</code> that is represented in XML or encoded in ASN.1. Again, different payment networks or even countries may have their own derivates based upon <code spellcheck="false" style="white-space: pre-wrap;">ISO8583</code>. For example, in Australia this is known as <code spellcheck="false" style="white-space: pre-wrap;">AS2805</code> which is used for EFTPOS transactions. </div></div><p>While the standard does not define the transport protocol, these days it is common for <code>TCP/IP</code> to be used between Switches. Predating the Internet as we know it, many public and private packet switched networks were <a href="https://en.wikipedia.org/wiki/X.25?ref=haxrob.net" rel="noreferrer"><code>X.25</code></a> based and <a href="https://web.archive.org/web/20160304054052/http://www.mastercard.com/us/company/en/docs/X25_within_the_Payment_Card_Industry.pdf" rel="noreferrer">often used</a> in financial networks - and quite possibly <a href="https://community.cisco.com/t5/other-network-architecture-subjects/bsc3270-teller-machine-traffic-configuration-help/td-p/115557?ref=haxrob.net" rel="noreferrer">still is</a> in some places. Remnants of <code>X.25</code> still apply to today when referring to card transactions - the <code>ISO8583</code> standard does not specify how to route the messages over the network, and as such, a <a href="https://en.wikipedia.org/wiki/Transaction_Protocol_Data_Unit?ref=haxrob.net" rel="noreferrer"><code>TPDU</code></a> (Transaction Protocol Data Unit) was often used. The <code>TPDU</code> may include the origin and destination addresses (e.g. terminal and national network) and a message length. Once upon a time,  <a href="http://www.vanguardnetworks.com/Collateral/Documents/English-US/102_12.pdf?ref=haxrob.net" rel="noreferrer">hardware routers </a>existed that supported these messages over <code>X.25</code> packet switched networks and within <a href="https://en.wikipedia.org/wiki/High-Level_Data_Link_Control?ref=haxrob.net" rel="noreferrer"><code>HDLC</code></a><code>/</code><a href="https://en.wikipedia.org/wiki/Synchronous_Data_Link_Control?ref=haxrob.net" rel="noreferrer"><code>SDLC</code></a> links. In addition to a <code>TPDU</code>, a <code>16</code> bit unsigned integer is often prefixed before the <code>PDU</code> to indicate the message length (including the <code>PDU</code> length of <code>5</code> bytes).</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://haxrob.net/content/images/2024/10/image-20.png" class="kg-image" alt="" loading="lazy" width="689" height="359" srcset="https://haxrob.net/content/images/size/w600/2024/10/image-20.png 600w, https://haxrob.net/content/images/2024/10/image-20.png 689w"><figcaption><span style="white-space: pre-wrap;">Vanguard Networks TPDU Protocol, </span><a href="http://www.vanguardnetworks.com/Collateral/Documents/English-US/102_12.pdf?ref=haxrob.net" rel="noreferrer"><span style="white-space: pre-wrap;">page 4</span></a></figcaption></figure><p>We will see later that <code>linux.fastcash</code> (and the Windows variants) expects <code>ISO8583</code> messages to include both a <code>2</code> byte message length and <code>TPDU</code> prefixed before the <code>ISO8583</code> message.</p><h3 id="terminals">Terminals</h3><p><strong>Automatic Teller Machines</strong></p><p>ATMs are often connected to a network via dial-up/ASDL or leased lines. While most modern ATMs support TCP/IP, supposedly, the 1960's IBM <a href="https://en.wikipedia.org/wiki/Binary_Synchronous_Communications?ref=haxrob.net" rel="noreferrer">BSC </a>/ <a href="https://www.jaredsec.com/bisync/?ref=haxrob.net" rel="noreferrer">Bisync</a> protocol may still be <a href="https://www.jaredsec.com/bisync/?ref=haxrob.net" rel="noreferrer">used</a> in old ATMs, such as <a href="https://www.sourcesecurity.com/datasheets/dedicated-micros-atm-interface-module-digital-video-recorder-dvr/co-541-ga/MKT-ATMi-D-003E.pdf?ref=haxrob.net" rel="noreferrer">BSC3270</a>. ATM vendors often have have their own proprietary protocol such as NDC/NDC+ (NCR Direct Connect), DDC (Diebold Direct Connect) and Triton. While not published in the public domain, documents related to these standards can be found on the Internet. At some point a global standard, <code>CEN/XFS</code> was introduced which relieved the "vendor lock-in" in regards to mandating a specific ATM vendor's supported controller/switch product.</p><p><strong>Point of Service</strong></p><p>These days we often spot PoS terminals using connectivity over a telecom network or twisted pair over the PSTN. Older PoS terminal devices may have required a POS <a href="https://wwwuat.h3c.com/en/d_201904/1166207_294551_0.htm?ref=haxrob.net" rel="noreferrer">concentrator</a>. Taking an example - a very early proprietary PoS protocol (like many, based on <code>ISO8583</code>) is called <a href="https://iso8583.info/news/2015-02-15?ref=haxrob.net" rel="noreferrer"><code>HPDH</code> </a>(Hypercom POS Device Handler). Specification documents (again, found by an Internet search) details a <a href="https://en.wikipedia.org/wiki/High-Level_Data_Link_Control?ref=haxrob.net" rel="noreferrer"><code>HDLC</code> </a>frame which includes a 5 byte <code>TPDU</code> with a fixed ID number <code>0x60</code> which corresponds to the message type "<em>Transactions</em>":</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://haxrob.net/content/images/2024/10/image-3-1.png" class="kg-image" alt="" loading="lazy" width="512" height="217"><figcaption><span style="white-space: pre-wrap;">Hypercom HDLC frame including TPU and ISO8583 message</span></figcaption></figure><p>The use of <code>0x60</code> in a PoS <code>TPDU</code> appears common across different vendors and and implementations, perhaps inherited from Hypercom. The Windows and Linux FASTCash variants use very specific values in the TPDU header which could possibly provide pointers what kind of systems the infected switch(s) are interfacing with. More in this later.</p><h3 id="more-on-iso8583">More on ISO8583</h3><p>Let's take a look at some of the fields within the standard: </p><ul><li><code>MTI</code> - Four digits that indicate the source and function of the message. <code>linux.fastcash</code> (and the other related variants) support <code>100/110</code> (balance enquiry) and <code>200/210</code> (financial transaction). Balance checks (<code>MTI 100</code>) are likely used to verify that the malware is working by verifying that the card holder has fraudulent amount of funds in their account.</li></ul><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://haxrob.net/content/images/2024/10/image-4.png" class="kg-image" alt="" loading="lazy" width="565" height="370"><figcaption><span style="white-space: pre-wrap;">MTI table, page 2 from </span><a href="https://jpos.org/doc/jPOS-CMF.pdf?ref=haxrob.net" rel="noreferrer"><span style="white-space: pre-wrap;">jPOS Common Message Format</span></a></figcaption></figure><ul><li>Bitfield - A bitmap that marks which fields are present in the message. The position of the bit represents the data element ID number. </li><li>Data Element - The actual field that contains the information for a transaction. The standard specifies the meaning and format of many of these fields, but not all. We will come across custom formats with the FASTCash malware which is likely specific to the target's network or Switch implementation. When we refer to data elements, the convention <code>DE</code> will be prefixed with the element number. </li></ul><p>A description of some fields:</p><ul><li><code>DE2</code> (Primary Account Number) - The PAN, or customer account number</li><li><code>DE3</code> (Processing Code) - The response code. FASTCash checks this code to determine if "insufficient funds" is being returned from the <em>issuer</em> for a transaction.</li><li><code>DE4</code> (Transaction Amount) - Typically the value of the funds, for example, amount being requested to be withdrawn. <code>linux.fastcash</code> uses a different field for this.</li><li><code>DE22</code> (Point of Service Entry Mode) - The mode and PIN availability. Here FASTCash looks for Magnetic Swipe mode.</li><li><code>DE49</code> (Transaction Currency Code) - The currency code (as per <a href="https://en.wikipedia.org/wiki/ISO_4217?ref=haxrob.net" rel="noreferrer"><code>ISO4217</code></a>) of the funds. <code>linux.fastcash</code> and it's Windows equivalent specifies <a href="https://en.wikipedia.org/wiki/Turkish_lira?ref=haxrob.net" rel="noreferrer"><code>TRY</code></a> and a prior <a href="https://www.virustotal.com/gui/file/10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba?ref=haxrob.net" rel="noreferrer">AIX </a>variant can be found to use <a href="https://en.wikipedia.org/wiki/Indian_rupee?ref=haxrob.net" rel="noreferrer"><code>INR</code></a>.</li><li><code>DE52</code> (PIN) - Encrypted PIN which might be omitted if a PIN was not used (e.g. customer signed). In the case of <code>linux.fastcash</code> and it's prior Windows variant, the malware explicitly removed this field and the associated <code>DE53</code> (Bin Block) fields.</li></ul><p>A valuable reference document is "<a href="https://jpos.org/doc/jPOS-CMF.pdf?ref=haxrob.net" rel="noreferrer">jPOS Common Message Format</a>".</p><h3 id="integrity-and-encryption">Integrity and Encryption</h3><p>FASTCash malware targets systems that <code>ISO8583</code> messages at a specific intermediate host where security mechanisms that ensure the integrity of the messages are missing, and hence can be tampered. If the messages were integrity protected, a field such as <code>DE64</code> would likely include a <code>MAC</code> (message authentication code). As the standard does not define the algorithm, the <code>MAC</code> algorithm is implementation specific. </p><div class="kg-card kg-callout-card kg-callout-card-grey"><div class="kg-callout-emoji">💡</div><div class="kg-callout-text">One example of the secret that is used in a <code spellcheck="false" style="white-space: pre-wrap;">MAC</code> algorithm is the encrypted <code spellcheck="false" style="white-space: pre-wrap;">TSK</code> (Terminal Session Key) from a commonly used <a href="https://en.wikipedia.org/wiki/Master/Session?ref=haxrob.net" rel="noreferrer">Master/Session</a> key management scheme used in ATM/PoS devices (<code spellcheck="false" style="white-space: pre-wrap;">MK/SK</code> is being replaced by <a href="https://info.futurex.com/hubfs/Web%20Resources%20(PDFs)/uploads_05-28-24/Futurex_Whitepaper-DUKPT_Process.pdf?ref=haxrob.net" rel="noreferrer">DUKPT</a>) and many vendors support both). PCI standards publishes a list of approved <code spellcheck="false" style="white-space: pre-wrap;">PTS</code> (PIN Transaction Security) devices which gives an idea of the symmetric key algorithms and key management schemes employed <a href="https://listings.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices?export=true&agree=true&ref=haxrob.net" rel="noreferrer">here</a>). In an ATM, a device here is the actual "PIN keyboard" which encrypts the PIN very early on - and hence the ATM O/S (often running Microsoft Windows) is never exposed to the customer's (plain-text) PIN number.</div></div><p>FASTCash malware modifies transaction messages in a point in the network where tampering will not cause upstream or downstream systems to reject the message. A feasible position of interception would be where the ATM/PoS messages are converted from one format to another (For example, the interface between a proprietary protocol and some other form of an <code>ISO8583</code> message) or when some other modification to the message is done by a process running in the switch. </p><h3 id="operating-systems-and-platforms">Operating systems and platforms</h3><p><code>linux.fastcash</code> sample was compiled for Ubuntu Linux 22.04 (<a href="https://wiki.ubuntu.com/FocalFossa?ref=haxrob.net">Focal Fossa</a>) with GCC <code>11.3.0</code>. ATM switch software running on Ubuntu Linux though? Let's dig a bit further into the ecosystem to see if this fits. It goes without saying that performance (fast I/O) and high availability is paramount in core banking infrastructure. Examples of well known companies that develop switch software for banks include ATOS, ACI (Base 24) and BCP (SmartVista). This type of software could be found supported to run on "mainframe" or equivalent fault tolerant type platforms manufactured by IBM, HP and others.</p><div class="kg-card kg-callout-card kg-callout-card-grey"><div class="kg-callout-emoji">💡</div><div class="kg-callout-text">It has been <i><em class="italic" style="white-space: pre-wrap;">speculated</em></i> that the (IBM) AIX variant of the FASTCash malware targeted BCP SmartVista Front End software (See "<a href="https://github.com/fboldewin/FastCashMalwareDissected/blob/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf?ref=haxrob.net" rel="noreferrer">Operation Fast Cash - Hidden Cobra‘s AIX PowerPC malware dissected</a>"). </div></div><p>A Google search away reveals documentation and commercial presentations for traditional ATM switch software vendors which mostly advertise support for proprietary UNIX-like systems and Microsoft Windows. For example, in addition to AIX and Windows, BCP has advertised that it had supported being run on Redhat Linux. More recently, companies have emerged on the scene with their switch software running in the cloud (e.g. AWS) and in containers. There are switch software vendors that do advertise generic support for Linux, although their names will be omitted here to avoid possible confusion/mistaken attribution. </p><div class="kg-card kg-callout-card kg-callout-card-grey"><div class="kg-callout-emoji">💡</div><div class="kg-callout-text">At risk of going off track a bit here, let's take a brief look at central switches which are in a different class of their own - These switches, run by interbank (ATM) networks and card schemes such as Visa and Mastercard, mandate high transaction rates on fault tolerant platforms. In instances this could be custom software written to be run on 'mainframe' type platforms such as the the IBM Z series. <br><br>Visa <a href="https://www.visa.co.uk/dam/VCOM/download/corporate/media/visanet-technology/aboutvisafactsheet.pdf?ref=haxrob.net" rel="noreferrer">state</a> that a maximum capacity of 65,000 transactions per second: That's actually a very high number in respect to financial transactions. At least historically, central switch software likely was developed in-house and written in assembly for the<a href="https://www.iso.org/obp/ui/en/?ref=haxrob.net#iso:std:iso:8583:ed-3:v1:en" rel="noreferrer"> z/TPF</a>. To give an idea of the scale of this transaction processing capability, for reference, a commercial presentation dated 2010 found on the Internet describes a load test simulation with 17,000 ATMs and 27,000 trade terminals resulting to 650 transactions per second loading a (now dated) HP Integrity <a href="https://en.wikipedia.org/wiki/HPE_Superdome?ref=haxrob.net" rel="noreferrer">Superdome </a>2 (Itanium 9350 w/64 cores) running HP-UX at 75% CPU usage.<br><br>On the topic of HP, in the 1970s, a primary competitor to IBM's mainframes was <a href="https://en.wikipedia.org/wiki/Tandem_Computers?ref=haxrob.net" rel="noreferrer">Tandem</a>, a "<i><em class="italic" style="white-space: pre-wrap;">dominant manufacturer of fault-tolerant computer systems for ATM networks, banks, stock exchanges</em></i>". Tandem's NonStop fault tolerant system exist today in <a href="https://assets.ext.hpe.com/is/content/hpedam/documents/4aa4-2000-2999/4aa4-2988/4aa4-2988enw.pdf?ref=haxrob.net" rel="noreferrer">a different form</a>, absorbed (or died off) within HP Enterprise. <a href="https://www.erlang-solutions.com/blog/why-do-systems-fail-tandem-nonstop-system-and-fault-tolerance/?ref=haxrob.net" rel="noreferrer">Here</a> is a relatively recent article on Tandem and fault tolerant systems which makes for an informative read. </div></div><p>To summarize this section, at least traditionally, does not really fit into core bank system infrastructure. With the increased adoption of opensource, it's certainly likely that other commercially supported Linux distributions could be found elsewhere in payment networks on systems that handle card transaction messages. On the topic of opensource, <a href="https://jpos.org/?ref=haxrob.net" rel="noreferrer">jPOS</a> is a well known open source payment switch software - with numerous newsgroup discussions revealing developers discussing integration into both ATM and PoS related platforms. Someone has even <a href="https://github.com/jrodriguesd/atm-driver/tree/main/modules/atm-driver-ndc?ref=haxrob.net" rel="noreferrer">driver</a> available for jPOS which adds support for the proprietary NDC ATM protocol. </p><p>Another theory on the Ubuntu Linux connection is that the malware developer was just using this as a base O/S for development purposes and planned on compiling it for a different platform at a later time.</p><h2 id="part-2fastcash-for-linux-analysis">Part 2 - FASTCash for Linux Analysis</h2><h3 id="attribution">Attribution</h3><p>CISA's <a href="https://www.cisa.gov/news-events/analysis-reports/ar20-239c?ref=haxrob.net" rel="noreferrer">report </a>"<em>North Korean Remote Access Tool: FASTCASH for Windows</em>" references a malware sample that manipulates <code>ISO8583</code> transaction messages in the same manner. Both the Windows and this Linux sample:</p><ul><li>Generate a random amount of <em>Turkish Lira</em> to be fraudulently added to the authorization response messages. <code>ISO4217</code> value of <code>949</code> representing Turkish Lira is specified in <code>DE54</code> (Additional amounts).</li><li><code>DE48</code> ("Additional data, private) uses the same custom value of <code>0387T</code> which is likely specific to it's target payment processing systems. Think of<code>DE48</code> as a custom field - meaning is dependent on what is specified for a specific network. The meaning of <code>0387T</code> might be very specific to a specific software vendor, or it could be a localized customization.</li><li>Both samples strip out 14 specific data elements when tampering with the authorization response message. Many of the elements are marked "Reserved for private" as per the <code>ISO8583</code> standard. It is unknown why this was done. </li></ul><p>There are some similarities in the relevant code segments on the Windows (<code>switch.dll</code>) and Linux "<code>libMyFc.so</code>" variants in how the response message is constructed. The format string for currency format and the additional data elements match. "Additional Data - Private" could be considered a "free text field" as per the <code>ISO8583</code> standard, and is assumed to be implementation specific.</p><figure class="kg-card kg-image-card"><img src="https://haxrob.net/content/images/2024/09/image-24.png" class="kg-image" alt="" loading="lazy" width="867" height="351" srcset="https://haxrob.net/content/images/size/w600/2024/09/image-24.png 600w, https://haxrob.net/content/images/2024/09/image-24.png 867w" sizes="(min-width: 720px) 720px"></figure><p>The range for the random funds amount generated per fraudulent transaction is the same (<code>12000</code> to <code>30000</code>):</p><figure class="kg-card kg-image-card"><img src="https://haxrob.net/content/images/2024/10/image-11.png" class="kg-image" alt="" loading="lazy" width="745" height="123" srcset="https://haxrob.net/content/images/size/w600/2024/10/image-11.png 600w, https://haxrob.net/content/images/2024/10/image-11.png 745w" sizes="(min-width: 720px) 720px"></figure><p>Also similar is the hooking into the <code>recv</code> call of a target process, validating the transaction type (MTI 1xx,2xx) to ensure that the transaction was from a magnetic swipe.</p><p>Both samples expect packets with a <code>2</code> byte message length, followed by a <code>5</code> byte <code>TPDU</code>. Both samples also add a constant value of <code>0x06</code> in the first byte and <code>0x00</code> in the last byte of the of the <code>TPDU</code>. It is unclear why this is done without knowledge of the downstream system(s) that will receive the fraudulent response message.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://haxrob.net/content/images/2024/10/image-15.png" class="kg-image" alt="" loading="lazy" width="604" height="153" srcset="https://haxrob.net/content/images/size/w600/2024/10/image-15.png 600w, https://haxrob.net/content/images/2024/10/image-15.png 604w"><figcaption><span style="white-space: pre-wrap;">injected responses have the same header</span></figcaption></figure><p><code>linux.fastcash</code> has reduced functionality compared to its Windows and AIX variants. For example hardcoded IP checks and incorrect PIN handling is not present.</p><p>In respect to the <code>ISO8583</code> message response message validation, there is a slight difference: The <code>DE3</code> (processing code) response values that are checked to match a balance enquiry or withdrawal differ in the their integer value (although the implementation of how the messages are tampered is the same). This difference may reflect that the Linux version runs on switch software that interfaces with a slight deviation in the representation of the processing code data element. That said, the subsequent tampering in both the balance enquiry and withdrawal are the same.</p><h3 id="implementation">Implementation</h3><p>Unlike other prior samples, the Linux variant is mostly written in object orientated C++ and was not stripped, maintaining global variables and class names. The purpose of each member function of the <code>MyFc</code> class is self evident: </p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://haxrob.net/content/images/2024/09/image-31.png" class="kg-image" alt="" loading="lazy" width="412" height="260"><figcaption><span style="white-space: pre-wrap;">Exported class member functions</span></figcaption></figure><p>It is likely that GCC 11.3.0 was used to compile the source on Ubuntu Linux 22.04:</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://haxrob.net/content/images/2024/09/image-11.png" class="kg-image" alt="" loading="lazy" width="200" height="35"><figcaption><a href="https://github.com/horsicq/Detect-It-Easy?ref=haxrob.net" rel="noreferrer"><span style="white-space: pre-wrap;">Detect It Easy</span></a></figcaption></figure><p>One identified sample was partially packed with UPX version  <code>4.02</code>. It is unlikely that this was used, as UPX is not compatible with ELF shared libraries. Notably, not all sections were successfully packed:</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://haxrob.net/content/images/2024/09/image-12.png" class="kg-image" alt="" loading="lazy" width="699" height="62" srcset="https://haxrob.net/content/images/size/w600/2024/09/image-12.png 600w, https://haxrob.net/content/images/2024/09/image-12.png 699w"><figcaption><span style="white-space: pre-wrap;">Here the AES IV and key are present in plaintext in the packed sample</span></figcaption></figure><h3 id="initialization">Initialization </h3><p>The malware is implemented as a shared library, intended to be injected into a existing running process by utilizing <a href="https://en.wikipedia.org/wiki/Ptrace?ref=haxrob.net" rel="noreferrer"><code>ptrace</code></a>. Code is likely taken from <a href="https://github.com/edouardpoitras/process_injection_example?ref=haxrob.net" rel="noreferrer"><code>process_injection_example</code></a> to invoke <code>ptrace</code> which then relies on <a href="https://github.com/Zeex/subhook?ref=haxrob.net" rel="noreferrer"><code>subhook</code></a> to setup the hook into glibc's <code>recv</code></p><p> If the address of <code>recv</code> cannot be found, an empty file with the name <code>GetSymbolFailed</code> is written to the current working directory.</p><figure class="kg-card kg-image-card"><img src="https://haxrob.net/content/images/2024/09/image-15.png" class="kg-image" alt="" loading="lazy" width="624" height="225" srcset="https://haxrob.net/content/images/size/w600/2024/09/image-15.png 600w, https://haxrob.net/content/images/2024/09/image-15.png 624w"></figure><p>The <code>/mnt/hgfs</code> path points to the VMsare hypervisor possibly being used during development. </p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://haxrob.net/content/images/2024/10/image-8.png" class="kg-image" alt="" loading="lazy" width="823" height="167" srcset="https://haxrob.net/content/images/size/w600/2024/10/image-8.png 600w, https://haxrob.net/content/images/2024/10/image-8.png 823w" sizes="(min-width: 720px) 720px"><figcaption><code spellcheck="false" style="white-space: pre-wrap;"><span> /mnt/hgfs</span></code><span style="white-space: pre-wrap;"> VMware uses hgfs file system for mounting volumes between host and VM</span></figcaption></figure><p>The initial entry point to <code>SoMain</code> is invoked upon loading the shared library, with the address of the function being an entry in the <code>.init_array</code> section. Likely with the original source having been decorated with the  <code>__attribute__(constructor)))</code>. </p><figure class="kg-card kg-image-card"><img src="https://haxrob.net/content/images/2024/09/image-1.png" class="kg-image" alt="" loading="lazy" width="1004" height="107" srcset="https://haxrob.net/content/images/size/w600/2024/09/image-1.png 600w, https://haxrob.net/content/images/size/w1000/2024/09/image-1.png 1000w, https://haxrob.net/content/images/2024/09/image-1.png 1004w" sizes="(min-width: 720px) 720px"></figure><p><code>SoMain</code> attempts to decrypt the configuration file by calling the <code>Initialize</code> constructor of the <code>FcCfg</code> class, and then if successful resolves and hooks into <code>glibc</code>'s <code>recv</code> function in order to parse incoming packets from the hooked processes' network socket(s). </p><p>The configuration file located at <code>/tmp/info.dat</code> contains a list of PANs (Personal Account Numbers) which is encrypted with <code>AES128</code> <code>CBC</code> using the opensource library "<a href="https://github.com/kokke/tiny-AES-c/?ref=haxrob.net" rel="noreferrer">Tiny AES in C</a><a href="https://github.com/kokke/tiny-AES-c/?ref=haxrob.net#tiny-aes-in-c"></a>". The decryption routine uses the key <code>W7SLFSG4OPBJNAA8</code> and initialization vector  <code>GXCR7299I9MOWS97</code>. </p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://haxrob.net/content/images/2024/09/image-16.png" class="kg-image" alt="" loading="lazy" width="561" height="238"><figcaption><span style="white-space: pre-wrap;">PAN file encrypted with 128 bit AES - CBC</span></figcaption></figure><h3 id="interception-of-packets">Interception of packets</h3><p><code>MyFc::recv</code> maintains a "state" of incoming <code>ISO8583</code> messages for a transaction which is initialized when the target process expects to receive exactly two bytes. This is the <code>TPDU</code> header expected to contain a 16 bit unsigned integer corresponding to a <code>ISO8535</code> message size in bytes.</p><p>The hooked <code>recv</code> routine parses the message size from the first 2 bytes, then calls <code>recvall</code> until that length of data has been received, copies it into a buffer then unpacks into an <code>ISO8583</code> message for parsing. Note the <code>5</code> byte offset passing in the received buffer to <code>DL_ISO8583_MSG_Unpack</code>. This corresponds to a <code>5</code> byte <code>TPDU</code>.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://haxrob.net/content/images/2024/09/image-18.png" class="kg-image" alt="" loading="lazy" width="765" height="452" srcset="https://haxrob.net/content/images/size/w600/2024/09/image-18.png 600w, https://haxrob.net/content/images/2024/09/image-18.png 765w" sizes="(min-width: 720px) 720px"><figcaption><span style="white-space: pre-wrap;">approximate representation of the injected recv() implementation</span></figcaption></figure><p>As with other variants, the "<a href="https://github.com/sabit/Oscar-ISO8583?ref=haxrob.net" rel="noreferrer">Oscar-ISO8583</a>" C library has been used to parse and repack the <code>ISO8583</code> messages. On receiving a valid <code>ISO8583</code> message, <code>MTI</code> (Message Type Indicator) Message subclass is checked to see the origin is from the acquirer with an authorization (<code>x100</code>) or financial (<code>x200</code>) request.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://haxrob.net/content/images/2024/09/image-22.png" class="kg-image" alt="" loading="lazy" width="537" height="323"><figcaption><span style="white-space: pre-wrap;">MTI, PAN, Point of Service</span></figcaption></figure><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://haxrob.net/content/images/2024/09/image-23.png" class="kg-image" alt="" loading="lazy" width="499" height="158"><figcaption><span style="white-space: pre-wrap;">MTI 100 or 200 matched</span></figcaption></figure><p>The <code>DE22</code> (Point of Service entry mode) is checked to be a m<a href="https://stackoverflow.com/questions/29820337/difference-between-pos-entry-modes-field-22?ref=haxrob.net" rel="noreferrer">agnetic swipe read</a>. The initial value in the field is expected to be three digits in BCD format. It is converted to an integer with <code>stoi</code> then divided by <code>100</code>, effectively retaining the first digit that is then compared to the value of <code>9</code> - Magnetic Swipe. By discarding the other digits, the "PIN capability" (how the PIN was obtained) is not considered. </p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://haxrob.net/content/images/2024/10/image-5.png" class="kg-image" alt="" loading="lazy" width="350" height="77"><figcaption><span style="white-space: pre-wrap;">Entry mode containing 9.</span></figcaption></figure><p><code>PAN</code> in the message is then matched against the list in the decrypted configuration file. If there is a match, the the following fields are verified to be populated:</p><ul><li>Processing code (<code>DE3</code>)</li><li>Transaction amount (<code>DE4</code>)</li><li>System trace audit number (<code>DE11</code>) </li><li>Currency (<code>DE49</code>) </li></ul><figure class="kg-card kg-image-card"><img src="https://haxrob.net/content/images/2024/10/image-6.png" class="kg-image" alt="" loading="lazy" width="588" height="271"></figure><p>The <code>PAN</code>, transaction amount and currency is then logged to the file <code>/tmp/trans.dat</code> </p><h3 id="generating-fraudulent-responses">Generating fraudulent responses</h3><p>The real magic happens in the appropriately named <code>MyFC::Hack</code>. A random amount set between <code>12000</code> and <code>30000</code> (April 2022 TRY/USD exchange rate this would equate to approximately 800USD to 2,000 USD... Due to inflation Türkiye, at the time of writing, the value to the USD is less then half this. One has to wonder if the threat actor updated the figures in the malware at any stage to accommodate..) The 3rd byte in the <code>MTI</code> is set to <code>1</code> which represents a message response.</p><p><code>DE3</code> (processing code) is checked against <a href="https://developer.mastercard.com/mastercard-merchant-presented-qr/documentation/server-apis/response-error-codes/?ref=haxrob.net" rel="noreferrer">two error codes</a>: <code>51</code> (Insufficient Funds) or <code>48</code> which is "Reserved for ISO use", here likely representing  a balance check.</p><p><strong>51 - Insufficient Funds</strong></p><p>In the case of <code>51</code>, insufficient funds, <code>DE38</code> (approval code) is overwritten with whitespace and <code>DE39</code> (Action code) set to "approve" by the <code>Approve</code> function.</p><p>The fraudulent balance is specified in a string of format <code>AA VV CCC X NNNN...</code> which is set in <code>DE54</code> (Additional amounts). </p><p>According to the standard, the format is:</p><ul><li><code>AA</code> is the account type</li><li><code>VV</code> is the type of amount (here <code>02</code>, meaning available account balance)</li><li><code>CCC</code> is the currency code (here <code>949</code>, meaning <code>TRY</code>)</li><li><code>X</code> is either positive or negative (with <code>C</code> meaning positive, <code>D</code> represents negative)</li><li><code>NNNN..</code> is the amount (here the random amount multiplied by <code>100</code>). It is possible that this amount is specified in <a href="https://en.wikipedia.org/wiki/Kuru%C5%9F?ref=haxrob.net" rel="noreferrer">Kuruş</a>.</li></ul><figure class="kg-card kg-image-card"><img src="https://haxrob.net/content/images/2024/09/image-48.png" class="kg-image" alt="" loading="lazy" width="689" height="315" srcset="https://haxrob.net/content/images/size/w600/2024/09/image-48.png 600w, https://haxrob.net/content/images/2024/09/image-48.png 689w"></figure><p><strong>48 - Reserved for use (assumed balance check)</strong></p><p>If a processing code of <code>48</code> is received instead of <code>58</code> (Insufficient funds), the <code>DE38</code> (Approval code) is populated with the random fund amount which effectively is multiplied by <code>1.3</code> (the multiplication and division) and then is constrained to 6 digits via the modulo operation. Additionally, as with the prior, a very specific string <code>0387T</code> is set in <code>DE48</code> (Additional data, private) as is done in the "insufficient funds" routine. At the time of writing, the meaning of this string is undetermined.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://haxrob.net/content/images/2024/09/image-46.png" class="kg-image" alt="" loading="lazy" width="590" height="104"><figcaption><span style="white-space: pre-wrap;">Processing code "48" approximation</span></figcaption></figure><p>This is likely to occur for <code>MTI</code> response <code>110</code> for a balance enquiry.  </p><p>After the relevant processing code has been handled, there are additional modifications to remove 14 specific fields:</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://haxrob.net/content/images/2024/09/image-47.png" class="kg-image" alt="" loading="lazy" width="516" height="209"><figcaption><span style="white-space: pre-wrap;">Data elements removed when assembling the fraudulent message</span></figcaption></figure><p>A header is assembled which contains the total length (including the header size of 5 bytes), followed by a hardcoded value of <code>6</code> which may correspond to the <code>ID</code> field in a <code>TPDU</code> header. The function <code>PlatformSocketSend</code> calls the <code>send</code> system call for the fraudulent message to be sent onwards to the <em>acquirer</em>.</p><figure class="kg-card kg-image-card"><img src="https://haxrob.net/content/images/2024/10/image-7.png" class="kg-image" alt="" loading="lazy" width="679" height="370" srcset="https://haxrob.net/content/images/size/w600/2024/10/image-7.png 600w, https://haxrob.net/content/images/2024/10/image-7.png 679w"></figure><h2 id="detection-and-prevention">Detection and prevention</h2><p>Discovery of the Linux variant further emphasizes the need for adequate detection capabilities which are often lacking in Linux server environments. The process injection technique employed to intercept the transaction messages should be flagged by any commercial EDR or opensource Linux agent with the appropriate configuration to detect usage of the <a href="https://man7.org/linux/man-pages/man2/ptrace.2.html?ref=haxrob.net" rel="noreferrer">ptrace </a>system call. As they say, <em>prevention is better then the cure</em>, and the recommendation are best summarized by <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-239a?ref=haxrob.net" rel="noreferrer">CISA</a>:</p><blockquote>- Implement chip and PIN requirements for debit cards.<br>- Require and verify message authentication codes on issuer financial request response messages.<br>- Perform authorization response cryptogram validation for chip and PIN transactions.</blockquote><h3 id="indicators-of-compromise">Indicators of Compromise</h3><p><strong>SHA-256 hashes</strong></p><p><em>FASTCash for Linux</em></p><p><code>f34b532117b3431387f11e3d92dc9ff417ec5dcee38a0175d39e323e5fdb1d2c<br><br>7f3d046b2c5d8c008164408a24cac7e820467ff0dd9764e1d6ac4e70623a1071</code> (UPX)</p><p><em>FastCash for Windows</em></p><p><code>afff4d4deb46a01716a4a3eb7f80da58e027075178b9aa438e12ea24eedea4b0<br><br>f43d4e7e2ab1054d46e2a93ce37d03aff3a85e0dff2dd7677f4f7fb9abe1abc8<br><br>5232d942da0a86ff4a7ff29a9affbb5bd531a5393aa5b81b61fe3044c72c1c00<br><br>2611f784e3e7f4cf16240a112c74b5bcd1a04067eff722390f5560ae95d86361</code> <br><br><code>c3904f5e36d7f45d99276c53fed5e4dde849981c2619eaa4dbbac66a38181cbe<br><br>609a5b9c98ec40f93567fbc298d4c3b2f9114808dfbe42eb4939f0c5d1d63d44</code> <br><br><code>078f284536420db1022475dc650327a6fd46ec0ac068fe07f2e2f925a924db49</code> (RAR)</p><p><em>Previously identified / attributed (2018 to 2020)</em></p><p><code>129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0</code> (Windows)<br><br><code>10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba</code> (AIX)<br><br><code>3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c</code> (AIX)</p><p></p><p></p>
    </section>


</article>
</main>

    <section class="footer-cta outer">
        <div class="inner">
            <h2 class="footer-cta-title">Sign up for more like this.</h2>
            <a class="footer-cta-button" href="#/portal" data-portal>
                <div class="footer-cta-input">Enter your email</div>
                <span>Subscribe</span>
            </a>
        </div>
    </section>



            <aside class="read-more-wrap outer">
                <div class="read-more inner">
                        
<article class="post-card post keep-ratio">

    <a class="post-card-image-link" href="/hiding-in-plain-sight-part-2/">

        <img class="post-card-image"
            srcset="/content/images/size/w300/2024/07/solaros.webp 300w,
                    /content/images/size/w600/2024/07/solaros.webp 600w,
                    /content/images/size/w1000/2024/07/solaros.webp 1000w,
                    /content/images/size/w2000/2024/07/solaros.webp 2000w"
            sizes="(max-width: 1000px) 400px, 800px"
            src="/content/images/size/w600/2024/07/solaros.webp"
            alt="Hiding in plain sight (part 2) - Abusing the dynamic linker"
            loading="lazy"
        />


    </a>

    <div class="post-card-content">

        <a class="post-card-content-link" href="/hiding-in-plain-sight-part-2/">
            <header class="post-card-header">
                <div class="post-card-tags">
                </div>
                <h2 class="post-card-title">
                    Hiding in plain sight (part 2) - Abusing the dynamic linker
                </h2>
            </header>
                <div class="post-card-excerpt">A stealthy process stomping method compatible with UNIX-like systems with anti-forensic enhancements for Linux.</div>
        </a>

        <footer class="post-card-meta">
            <time class="post-card-meta-date" datetime="2024-08-02">Aug 2, 2024</time>
                <span class="post-card-meta-length">14 min read</span>
        </footer>

    </div>

</article>
                        
<article class="post-card post keep-ratio">

    <a class="post-card-image-link" href="/process-name-stomping/">

        <img class="post-card-image"
            srcset="/content/images/size/w300/2024/04/morris.png 300w,
                    /content/images/size/w600/2024/04/morris.png 600w,
                    /content/images/size/w1000/2024/04/morris.png 1000w,
                    /content/images/size/w2000/2024/04/morris.png 2000w"
            sizes="(max-width: 1000px) 400px, 800px"
            src="/content/images/size/w600/2024/04/morris.png"
            alt="Hiding in plain sight: Modifying process names in UNIX-like systems (part 1)"
            loading="lazy"
        />


    </a>

    <div class="post-card-content">

        <a class="post-card-content-link" href="/process-name-stomping/">
            <header class="post-card-header">
                <div class="post-card-tags">
                </div>
                <h2 class="post-card-title">
                    Hiding in plain sight: Modifying process names in UNIX-like systems (part 1)
                </h2>
            </header>
                <div class="post-card-excerpt">Exploring ways malware on Linux and other UNIX-like systems can disguise their process names.</div>
        </a>

        <footer class="post-card-meta">
            <time class="post-card-meta-date" datetime="2024-06-30">Jun 30, 2024</time>
                <span class="post-card-meta-length">16 min read</span>
        </footer>

    </div>

</article>
                        
<article class="post-card post keep-ratio">

    <a class="post-card-image-link" href="/onavo-facebook-ssl-mitm-technical-analysis/">

        <img class="post-card-image"
            srcset="/content/images/size/w300/2024/04/fbdark-1.webp 300w,
                    /content/images/size/w600/2024/04/fbdark-1.webp 600w,
                    /content/images/size/w1000/2024/04/fbdark-1.webp 1000w,
                    /content/images/size/w2000/2024/04/fbdark-1.webp 2000w"
            sizes="(max-width: 1000px) 400px, 800px"
            src="/content/images/size/w600/2024/04/fbdark-1.webp"
            alt="How did Facebook intercept their competitor&#x27;s encrypted mobile app traffic?"
            loading="lazy"
        />


    </a>

    <div class="post-card-content">

        <a class="post-card-content-link" href="/onavo-facebook-ssl-mitm-technical-analysis/">
            <header class="post-card-header">
                <div class="post-card-tags">
                </div>
                <h2 class="post-card-title">
                    How did Facebook intercept their competitor&#x27;s encrypted mobile app traffic?
                </h2>
            </header>
                <div class="post-card-excerpt">A technical investigation into information uncovered in a class action lawsuit that Facebook had intercepted encrypted traffic from user&#39;s devices running the Onavo Protect app in order to gain competitive insights.</div>
        </a>

        <footer class="post-card-meta">
            <time class="post-card-meta-date" datetime="2024-04-14">Apr 14, 2024</time>
                <span class="post-card-meta-length">13 min read</span>
        </footer>

    </div>

</article>
                </div>
            </aside>



    </div>

    <footer class="site-footer outer">
        <div class="inner">
            <section class="copyright"><a href="https://haxrob.net">haxrob</a> &copy; 2024</section>
            <nav class="site-footer-nav">
                <ul class="nav">
    <li class="nav-sign-up"><a href="#/portal/">Sign up</a></li>
</ul>

            </nav>
            <div class="gh-powered-by"><a href="https://ghost.org/" target="_blank" rel="noopener">Powered by Ghost</a></div>
        </div>
    </footer>

</div>

    <div class="pswp" tabindex="-1" role="dialog" aria-hidden="true">
    <div class="pswp__bg"></div>

    <div class="pswp__scroll-wrap">
        <div class="pswp__container">
            <div class="pswp__item"></div>
            <div class="pswp__item"></div>
            <div class="pswp__item"></div>
        </div>

        <div class="pswp__ui pswp__ui--hidden">
            <div class="pswp__top-bar">
                <div class="pswp__counter"></div>

                <button class="pswp__button pswp__button--close" title="Close (Esc)"></button>
                <button class="pswp__button pswp__button--share" title="Share"></button>
                <button class="pswp__button pswp__button--fs" title="Toggle fullscreen"></button>
                <button class="pswp__button pswp__button--zoom" title="Zoom in/out"></button>

                <div class="pswp__preloader">
                    <div class="pswp__preloader__icn">
                        <div class="pswp__preloader__cut">
                            <div class="pswp__preloader__donut"></div>
                        </div>
                    </div>
                </div>
            </div>

            <div class="pswp__share-modal pswp__share-modal--hidden pswp__single-tap">
                <div class="pswp__share-tooltip"></div>
            </div>

            <button class="pswp__button pswp__button--arrow--left" title="Previous (arrow left)"></button>
            <button class="pswp__button pswp__button--arrow--right" title="Next (arrow right)"></button>

            <div class="pswp__caption">
                <div class="pswp__caption__center"></div>
            </div>
        </div>
    </div>
</div>
<script
    src="https://code.jquery.com/jquery-3.5.1.min.js"
    integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0="
    crossorigin="anonymous">
</script>
<script src="https://haxrob.net/assets/built/casper.js?v=9159c4dccf"></script>
<script>
$(document).ready(function () {
    // Mobile Menu Trigger
    $('.gh-burger').click(function () {
        $('body').toggleClass('gh-head-open');
    });
    // FitVids - Makes video embeds responsive
    $(".gh-content").fitVids();
});
</script>

<!--
<script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.28.0/components/prism-core.min.js" integrity="sha512-9khQRAUBYEJDCDVP2yw3LRUQvjJ0Pjx0EShmaQjcHa6AXiOv6qHQu9lCAIR8O+/D8FtaCoJ2c0Tf9Xo7hYH01Q==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.28.0/plugins/autoloader/prism-autoloader.min.js" integrity="sha512-fTl/qcO1VgvKtOMApX2PdZzkziyr2stM65GYPLGuYMnuMm1z2JLJG6XVU7C/mR+E7xBUqCivykuhlzfqxXBXbg==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
<script>
  // https://highlightjs.org/
activateHighlight = function() {
    document.querySelectorAll("pre code").forEach(
        function(currentValue, currentIndex, listObj) {
    		hljs.highlightBlock(currentValue);
        }
    );
}

if (window.attachEvent) {
    window.attachEvent('onload', loadHighlight);
} else {
    if (window.onload) {
		var originalOnload = window.onload;
    	var newOnload = function(evt) {
        	originalOnload(evt);
        	activateHighlight(evt);
    	};
    	window.onload = newOnload;
    } else {
        window.onload = activateHighlight;
    }
}
</script>
<style>
.gh-content pre {
      background: #ffffff00;
}
</style>
-->
<script>document.addEventListener('DOMContentLoaded',function(){var contentElement=document.querySelector('.gh-content');if(contentElement){var asideElement=document.createElement('aside');asideElement.className='gh-sidebar';asideElement.innerHTML='<div class="gh-toc"></div>';var firstChildElement=contentElement.firstElementChild;if(firstChildElement){firstChildElement.insertAdjacentElement('beforebegin',asideElement)}else{contentElement.appendChild(asideElement)}tocbot.init({tocSelector:'.gh-toc',contentSelector:'.gh-content',headingSelector:'h1,h2,h3,h4',hasInnerContainers:true, collapseDepth:1})}});</script>

</body>
</html>
